The EU's Digital Operational Resilience Act, better known as DORA, has moved from regulatory horizon to operational reality — and a growing body of expert analysis now makes clear that the financial sector's traditional approach to managing third-party technology risk is no longer adequate. A new analysis published through UK Finance and authored by Craig Oliver and Karan Chao of PA Consulting argues that DORA fundamentally changes the rules of engagement between financial entities and the vendors, cloud providers, and technology partners upon which they depend.

The central thrust of the analysis is both straightforward and consequential: financial institutions cannot simply layer DORA compliance obligations on top of existing third-party oversight frameworks and call it done. The regulation demands something structurally different — a shift from periodic vendor assessments and contractual checklists toward an integrated, continuous, and deeply embedded model of digital operational resilience that runs through the entire institution.

What DORA Actually Requires

At its core, DORA imposes binding requirements across five pillars: information and communications technology risk management, incident reporting, digital operational resilience testing, third-party risk management, and information-sharing arrangements. What distinguishes it from prior regulatory guidance on operational resilience is its enforceability and its specificity regarding third-party relationships. Financial entities operating within the European Union — including banks, insurers, investment firms, and payment processors — must now demonstrate not just that they have vendor oversight policies, but that those policies produce measurable outcomes and that institutions retain genuine control over critical outsourced functions.

The Oliver and Chao analysis, channelled through UK Finance, makes the case that meeting this bar requires financial organizations to fundamentally revisit how they classify, monitor, and engage with their technology supply chains. Third-party Information and Communications Technology (ICT) providers that support critical or important functions are subject to heightened requirements, and financial entities bear the responsibility for ensuring those providers meet the standard — regardless of contractual assurances.

The Limits of Traditional Third-Party Oversight

Legacy third-party risk management typically operated on a compliance-driven cadence: annual due diligence reviews, questionnaire-based assessments, and contractual clauses designed primarily to allocate legal liability rather than ensure genuine resilience. That model was always imperfect, but it was broadly tolerated by regulators who lacked both the mandate and the tools to demand more. DORA changes that calculus decisively. The regulation does not merely encourage better practice — it mandates it, with supervisory authorities now empowered to impose remedial requirements on both financial entities and, in certain circumstances, their critical third-party ICT providers directly.

For institutions that have relied heavily on outsourced technology infrastructure — cloud computing, Software-as-a-Service platforms, payment processing networks — this creates a genuine compliance challenge. The question is no longer whether a vendor has signed off on the right contractual language, but whether the financial entity has the visibility, the testing capability, and the operational architecture to demonstrate resilience end-to-end. As Oliver and Chao make clear, the responsibility for that demonstration lies squarely with the regulated firm, not its suppliers.

A Strategic, Not Just Compliance, Imperative

Perhaps the most significant implication of the PA Consulting analysis is that DORA should not be approached as a compliance exercise with a finish line. Unlike point-in-time regulatory implementations, digital operational resilience is by definition an ongoing state. Threat landscapes evolve, technology architectures change, and third-party relationships shift — all of which require financial institutions to maintain living, adaptive frameworks rather than static policies.

This positions DORA compliance less as a project and more as a permanent operational capability. Institutions that treat it as the former — investing in a burst of remediation activity and then moving on — are likely to find themselves exposed both to regulatory scrutiny and to the underlying operational risks the regulation was designed to address. Those that treat it as the latter, embedding resilience disciplines into their technology governance, risk management, and vendor relationship structures, stand to gain not just regulatory compliance but a more robust and trustworthy operational foundation.

What This Means for the Industry

The UK Finance and PA Consulting analysis arrives at a moment when DORA enforcement is becoming an active supervisory priority across EU member states. For financial entities still calibrating their responses, the message from Craig Oliver, Karan Chao, and the broader regulatory community is consistent: the expectation is not oversight of third parties in the traditional sense, but genuine, demonstrable resilience that extends through every critical dependency in an institution's technology stack. That is a materially higher bar than the sector has historically been held to, and meeting it will require investment, restructuring, and — most importantly — a shift in how boards and senior management conceptualise operational risk in the digital age. The institutions that move earliest and most deliberately will define the new standard. Those that delay risk finding themselves defined by their failures instead.

Written by the editorial team — independent journalism powered by Codego Press.